FOR508: Advanced Computer Forensic Analysis and Incident Response

-This course focuses on providing incident responders with the necessary skills to hunt down and counter a wide range of threats within enterprise networks, including economic espionage, hactivism, and financial crime syndicates. The completely updated FOR508 addresses today's incidents by providing real-life, hands-on response tactics. Don't miss the NEW FOR508!

Overview

DAY 0: A 3-letter government agency contacts you to say that critical information was stolen by a targeted attack on your organization. Don't ask how they know, but they tell you that there are several breached systems within your enterprise. You are compromised by an Advanced Persistent Threat, aka an APT - the most sophisticated threat you are likely to face in your efforts to defend your systems and data.

Over 90% of all breach victims learn of a compromise from third party notification, not from internal security teams. In most cases, adversaries have been rummaging through your network undetected for months or even years. Gather your team - it's time to go hunting.

FOR508: Advanced Computer Forensic Analysis and Incident Response will help you determine:

How did the breach occur?

What systems were compromised?

What did they take? What did they change?

How do we remediate the incident?

The updated FOR508 trains digital forensic analysts and incident response teams to identify, contain, and remediate sophisticated threats-including APT groups and financial crime syndicates. A hands-on lab-developed from a real-world targeted attack on an enterprise network-leads you through the challenges and solutions. You will identify where the initial targeted attack occurred and which systems an APT group compromised. The course will prepare you to find out which data was stolen and by whom, contain the threat, and provide your organization the capabilities to manage and counter the attack.

During a targeted attack, an organization needs the best incident responders and forensic analysts in the field. FOR508 will train you and your team to be ready to do this work.

Overview

Incident responders should be armed with the latest tools, memory analysis techniques, and enterprise scanning methodologies in order to identify, track and contain advanced adversaries, and remediate incidents. Incident response and forensic analysts responding must be able to scale their examinations from the traditional one analyst per system toward one analyst per 1,000 or more systems. Enterprise scanning techniques are now a requirement to track targeted attacks by an APT group or crime syndicate groups which propagate through thousands of systems. This is simply something that cannot be accomplished using the standard "pull the hard drive" forensic examination methodology. Such an approach will in fact alert the adversary that you are aware and may allow them to quickly exfiltrate sensitive information. In this section, the six-step incident response methodology is examined as it applies to response in an enterprise during a targeted attack. We will show how important development of security intelligence is in affecting the adversaries "kill chain." We will also demonstrate live response techniques and tactics that can be applied on a single system and across the entire enterprise.

CPE/CMU Credits: 6

Topics

SIFT Workstation Overview

Layout and Configuration

Programs Installed

Core Tools Used

Incident Response Methodology

Preparation - key tools, techniques, and procedures each IR team needs to properly respond to intrusions

Identification- proper scoping an incident and detecting all compromised systems in the enterprise

Containment - identify exactly how the breach occurred and what was taken

Eradication - determine key steps that must be taken to help stop the current incident

Recovery - helps identify threat intelligence to be used to see if the same adversary returns to the enterprise

Overview

Critical to many IR teams detecting advanced threats in the organization, memory forensics has come a long way in just a few years. It can be extraordinarily effective at finding evidence of worms, rootkits, and advanced malware used by an APT group of attackers. While traditionally solely the domain of Windows internals experts, recent tools now make memory analysis feasible for anyone. Better interfaces, documentation, and built-in detection heuristics have greatly leveled the playing field. This section will introduce some of the newest free tools available and give you a solid foundation in adding core and advanced memory forensic skills to your incident response and forensics armory.

Overview

Timeline Analysis will change the way you approach digital forensics and incident response... forever.

Learn advanced analysis techniques uncovered via timeline analysis directly from the developers that pioneered timeline analysis tradecraft. Temporal data is located everywhere on a computer system. Filesystem modified/access/creation/change times, log files, network data, registry data, and, internet history files all contain time data that can be correlated into critical analysis to successfully solve cases. Pioneered by Rob Lee in 2001, timeline analysis has become a critical investigative technique to solve complex cases. New timeline analysis frameworks provide the means to conduct simultaneous examinations of a multitude of time based artifacts. Analysis that once took days now takes minutes. This section will step you through the two primary methods of creating and analyzing timelines created during advanced incidents and forensic cases. Exercises will not only show each analyst how to create a timeline, but introduce key methods to use them effectively in your cases.

Overview

A major criticism of digital forensic professionals is that many tools simply require a few mouse clicks to have the tool automatically recover data as evidence. This "push button" mentality has led to many inaccurate case results in the past few years including high profile cases such as the Casey Anthony murder trial. You will stop being reliant on "push button" forensic techniques as we cover how the engines of digital forensic tools really work. To understand how to carve out data, it is best to understand how to do it by hand and then show how automated tools should be able to recover the same data. You will learn how to perform string searches looking for specific residue from a file and learn multiple ways to recover the file data across the layers of the filesystem. If a file or registry key has been wiped or deleted, this section shows how to use Windows historical artifacts to still recover key pieces of the data that no longer exist on the system. This knowledge will allow you to see beyond most anti-forensic techniques allowing you to gain the advantage while responding to breaches in your organization where an adversary is actively attempting to hide from you.

Overview

PART 1 - INTRUSION FORENSICS - THE ART OF FINDING UNKNOWN MALWARE

The adversaries are good, we must be better.

Over the years, we have observed that many incident responders have a challenging time finding malware without effective indicators of compromise (IOCs) or threat intelligence gathered prior to a breach. This is especially true in APT group intrusions.

This advanced session will demonstrate techniques used by first responders to discover malware or forensic artifacts when very little information exists about their capabilities or hidden locations. We will discuss techniques to help funnel possibilities down to the candidates most likely to be evil malware trying to hide on the system.

The section concludes with a step-by-step approach on how to handle some of the most difficult types of investigations. You will learn the best ways to approach intrusion and spear phishing attacks. You will understand locations you can examine to determine if file wiping occurred. You will discover techniques to prove that privacy clearing software was utilized. Regardless of the actions hackers might take, they will always leave something that can be traced. This discussion will solidify your new skills into a working attack plan to solve these difficult cases.

PART II - COMPUTER INVESTIGATIVE LAW FOR ANALYSTS AND RESPONDERS

Legal issues, especially liability, remain foremost in the minds of an incident handler or forensic investigator. Therefore, this section has more discussion than any other we offer. Learn to investigate incidents while minimizing the risk for legal trouble. This course is designed not for management, but for the Digital Forensic and Incident Response team leaders in charge of an investigation. The content focuses on challenges that every lead investigator needs to understand before, during, and post investigation. Since many investigations can end up in a criminal or civil courtroom, it is essential to understand how to perform a computer-based investigation legally and ethically.

We will confront many of the legal myths that have caused you to hesitate when developing your incident handling procedures and pursuing incidents. You will also gain a realistic perspective on the strengths and limitations of law enforcement assistance in the investigation of incidents and the prosecution of attackers. Written by one of the foremost computer crime lawyers, the information presented provides an essential legal foundation for professionals managing or working in incident handling teams around the world.

CPE/CMU Credits: 6

Topics

PART 1 - INTRUSION FORENSICS - THE ART OF FINDING UNKNOWN MALWARE

Step-by-Step Finding Unknown Malware On A System

Data Reduction / File Sorting

Data Carving

Indicators of Compromise (IOC) Search

Automated Memory Analysis

Evidence of Persistence

Supertimeline Examination

Packing / Entropy / Density Check

System Logs

Memory Analysis

Automated Malware Lookups

MFT Anomalies

Timeline Anomalies

Anti-Forensics Detection Methodologies

Deleted File

Deleted Registry Keys

File Wiping

Clearing Browsing History

Privacy Cleaner

Adjusting Timestamps

Methodology to Analyze and Solve Challenging Cases

Malware/Intrusion

Spear Phishing Attacks

Web Application Attacks/SQL Injection

Advanced Persistent Threat Actors

Detecting Data Exfiltration

PART II - COMPUTER INVESTIGATIVE LAW FOR ANALYSTS AND RESPONDERS

Who Can Investigate and Investigative Process Laws

Internal and External Investigations

Authority to Investigate

Credentials and Training

Ramification Of An Incident That Involves Multiple Countries

Following Agency/Employer Policy and Procedures

Digital Forensic Ethical Standards

Evidence Acquisition/Analysis/Preservation Laws and Guidelines

Major Goals Associated With Acquiring Data

Legal Authority To Allow For Data Acquisition

Stored and Real Time Data

Evidence/Information You Can Share With Third Parties and Law Enforcement

Legal Authority Necessary To Collect Data

Laws Investigators Should Know

Criminal and Civil Law Procedures - Understanding The Laws and Procedures Related To Evidence, Search Authority and Scope.

Civil Privacy Laws

Wiretapping and Pen Register Trap and Trace Laws

Forensic Reports and Testimony

Legal Testimony

Address Scientific Process, Audience, and Legal Utility

How To Document Work So It Is Repeatable

Scientific Methods That Show Clear Conclusions Based In Factual Evidence

Overview

This incredibly rich and realistic enterprise intrusion exercise based on an real-world APT group brings together some of the most exciting techniques learned earlier in the week and tests your newly acquired skills in a case that simulates an attack by an advanced adversary such as an APT. This challenge brings it all together using a simulated intrusion into a real enterprise environment consisting of multiple Windows systems. You will be asked to uncover how the systems were compromised in the initial intrusion, find other systems the adversary moved to laterally, and identify intellectual property stolen via data exfiltration. You will walk out of the course with hands-on experience investigating realistic scenarios, which were put together by a cadre of individuals with many years of experience fighting advanced threats such as an APT group.

CPE/CMU Credits: 6

Topics

The Intrusion Forensic Challenge will have each Incident Response team analyzing multiple systems in the Enterprise network.

Each Incident Response team will be asked to answer the following key questions during the challenge just like they would during a real-breach in their organizations:

IDENTIFICATION AND SCOPING:

How and when did the APT group breach our network?

List all compromised systems by IP address and specific evidence of compromise.

When and how did the attackers first laterally move to each system?

CONTAINMENT AND SECURITY INTELLIGENCE GATHERING:

How and when did the attackers obtain domain administrator credentials?

Once on other systems, what did the attackers look for on each system?

Email was extracted from executives and system administrators in the enterprise. Are there specific types of email the attackers appeared interested in?

There is a concern among management that compromised critical intellectual property has been exfiltrated from the network. Determine what was stolen: Recover any .rar files or archives exfiltrated, find the .rar encoding password, and extract the contents to verify extracted data.

Collect and list all malware used in the attack.

Develop and present security intelligence or an Indicator of Compromise (IOC) for the APT-group "beacon" malware for both host and network based enterprise scoping.

What specific indicators exists for the use of this malware?

REMEDIATION AND RECOVERY

Do we need to change the passwords for every user in domain or just the ones affected by the systems compromised?

Based on the attacked techniques and tools discovered during incident, what are the recommended steps to remediate and recover from this incident?

What systems need to be rebuilt?

What IP addresses need to be blocked?

What countermeasures should we deploy to slow or stop these attackers if they come back?

What recommendations would you make in order to detect these intruders in our network again?

It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop. VMware provides a free tool for Windows and Linux that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities.

Please download and install VMware Workstation 10, VMware Fusion 6.0, or VMware Player 6.0 or higher versions on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their Web site. VMware Player is a free download that does not need a commercial license. Most students find VMware Player adequate for the course.

MANDATORY FOR508 SYSTEM HARDWARE REQUIREMENTS:

CPU: 64-bit Intel├┬« x64 2.0+ GHz processor or higher based system is mandatory for this class (Important - Please Read: a 64 bit system processor is mandatory)

RAM: 4 GB (Gigabytes) of RAM minimum (Note: We strongly recommend 6 GB of RAM or higher to get the most out of the course)

Host Operating System: Any version of Windows or MAC OSX that also can install and run VMware virtualization products (VMware Workstation, VMware Fusion, or VMware Player) Please note, those with MACs generally do better with Boot Camp installed and running Windows from your MAC. While it works on OSX, some students have experienced problems with VMware Fusion during the course.

Networking: Wireless 802.11 B, G, or N

DVD/CD Combo Drive

USB 2.0 or higher Port(s)

200 Gigabyte Host System Hard Drive minimum

~1000 Gigabytes of Free Space on your System Hard Drive (Note: The free space is needed for the SIFT Workstation VM and the evidence --64 GB--we will be adding to your system)

The student should have the capability to have Local Administrator Access within their host operating system

MANDATORY FOR508 SYSTEM SOFTWARE REQUIREMENTS (Please install the following prior to the beginning of the class):

If you are using an Apple Laptop / MacBook with OSX as your operating system it is required you additionally bring a Windows Virtual System (Win7 or Win8 - Any Version) to class or install bootcamp

Bring/install any other forensic tool you feel could be useful (EnCase, FTK, etc). For the final challenge at the end of the course, you can utilize any forensic tool, including commercial capabilities, to help you and your team. If you have any dongles, licensed software, you are free to use it.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

Incident Response Team Members who respond to complex security incidents/intrusions from an APT group / advanced adversaries and need to know how to detect, investigate, recover, and remediate compromised systems across an enterprise.

Red Team Members, Penetration Testers, and Exploit Developers who want to learn how their opponents can identify their actions. Discover how common mistakes can compromise operations on remote systems, and how to avoid them. This course covers remote system forensics and data collection techniques that can be easily integrated into post-exploit operating procedures and exploit testing batteries.

SANS FOR408 and SEC504 Graduates looking to take their skills to the next level

One of the biggest complaints that many have in the digital forensics and incident response community is the lack of realistic intrusion data. Most real-world intrusion data is simply too sensitive to be shared.

Starting a year ago, course authors created a realistic scenario based on experiences surveyed from panel of responders who regularly respond to targeted APT attacks. They helped review and guide the targeted attack "script" used to create the scenario. As a result, the authors created an incredibly rich and realistic attack scenario across multiple enterprise systems. This APT attack lab forms the basis for training during the week. The network was setup to mimic a standard "protected" enterprise network using standard compliance checklists.

Full auditing turned on per recommended FISMA guidelines

Windows DC set up and configured. DC not tightened down the network more than what is expected in real enterprise networks

Systems installed and have real software on it that is used (Office, Adobe, Skype, Tweetdeck, Email, Dropbox, Firefox, Chrome)

Fully patched (Patches are automatically installed)

Enterprise Incident Response agents

Enterprise A/V and On-Scan capability based on DoD's Host Based Security System - HBSS

Discover every system compromised in your enterprise utilizing incident response tools such as F-Response and digital forensic analysis capabilities in the SIFT Workstation to identify APT beach head and spear phishing attack mechanisms, lateral movement, and data exfiltration techniques.

Using the SIFT Workstation├ó┬┬s capabilities, perform forensic analysis and incident response on any remote enterprise hard drive or system memory without having to image the system first allowing for immediate response and scalable analysis to take place across the enterprise.

Using system memory and the Volatility toolset to discover active malware on a system, determine how the malware was placed there, and recover it to help develop key threat intelligence to perform proper scoping activities during incident response.

Detect advanced capabilities such as Stuxnet, TDSS, or APT command and control malware immediately through memory analysis using Redline├ó┬┬s Malware Rating Index (MRI) to quickly ascertain the threat to your organization and aid in scoping the true extent of the data breach

Track the exact footprints of an attacker crossing multiple systems and observe data they have collected to exfiltrate as you track your adversary├ó┬┬s movements in your network via timeline analysis using the log2timeline toolset

Begin recovery and remediation of the compromise via the use of Indicators of Compromise (IOC), Threat Intelligence, and IR/Forensics key scanning techniques to identify active malware and all enterprise systems affected by the breach

Discover an adversary├ó┬┬s persistence mechanisms to allow malware to continue to run on a system after a reboot using command-line tools such as autorunsc, psexec, jobparser, group policy, triage-ir, and IOCFinder.

This course uses the SIFT Workstation to teach incident responders and forensic analysts how to respond to and investigate sophisticated attacks. SIFT contains hundreds of free and open source tools, easily matching any modern forensic and incident response tool suite.

Discover every system comprised in your enterprise utilizing incident response tools such as F-Response and digital forensic analysis capabilities in the SIFT Workstation to identify APT beach head and spear phishing at- tack mechanisms, lateral movement, and data exfiltration techniques.

Using the SIFT Workstation's capabilities, preform forensic analysis and incident response on any remote enterprise hard drive or system memory without having to image the system first, allowing for immediate response and scalable analysis to take place across the enterprise.

Using system memory and the Volatility toolset to discover active malware on a system, determine how the malware was placed there, and recover it to help develop key threat intelligence to perform proper scoping activities during incident response.

Detect advanced capabilities such as Stuxnet, TDSS, or APT command and control malware immediately through memory analysis using Redline├ó┬┬s Malware Rat- ing Index (MRI) to quickly ascertain the threat to your organization and aid in scoping the true extent of the data breach

Track the exact footprints of an attacker crossing multiple systems and observe data they have collected to exfiltrate as you track your adversary├ó┬┬s movements in your network via timeline analysis using the log2timeline toolset

Begin recovery and remediation of the compromise via the use of Indicators of Compromise (IOC), Threat Intelligence, and IR/Forensics key scanning techniques to identify active malware and all enterprise systems affected by the breach

Discover an adversary's persistence mechanisms to allow malware to continue to run on a system after a reboot using command-line tools such as autorunsc, psexec, jobparser, group policy, triage-ir, and IOCFinder.

"THE SANS508 COURSE EXCEEDED MY EXPECTATIONS IN EVERY WAY. IT PROVIDED ME THE SKILLS, KNOWLEDGE, AND TOOLS TO EFFECTIVELY RESPOND TO AND HANDLE APTS AND OTHER ENTERPRISE WIDE THREATS." -Josh Moulin NSTEC/NNSA/DOE

"THE EXAMPLES IN THE COURSE RELATE TO WHAT I NEED TO KNOW TO DEAL WITH REAL WORLD THREATS." -Tim Weaver, Digital Mtn. Inc.

"I WAS SURPRISED AND AMAZED AT HOW EASY IT IS TO DO MEMORY ANALYSIS AND HOW HELPFUL IT IS." - Brian Dugay, Apple

"THE LEVEL OF DETAIL IS AMAZING. THE METHODOLOGY IS CLEARLY EFFECTIVE AT FINDING PERTINENT ARTIFACTS." - no name

"I'VE TAKEN OTHER NETWORK INTRUSION CLASSES BUT NOTHING THIS IN-DEPTH. THE CLASS IS OUTSTANDING!" -- Craig Goldsmith, FBI

"EXCELLENT COURSE, INVALUABLE HANDS-ON EXPERIENCE TAUGHT BY PEOPLE WHO NOT ONLY KNOW THE TOOLS AND TECHNIQUES, BUT KNOW THEIR QUIRKINESS THROUGH PRACTICAL, REAL-WORLD EXPERIENCE." -John Alexander, US Army

"THIS COURSE (FOR508) REALLY TAKES YOU FROM 0-60 IN UNDERSTANDING THE CORE CONCEPTS OF FORENSICS, ESPECIALLY THE FILE SYSTEM." -Matthew Harvey, U.S. Department of Justice

"IF YOU NEED TO TRACK DOWN WHAT HAPPENED IN YOUR ENVIRONMENTS, THIS IS A MUST HAVE COURSE!" -Fran Moniz, American National Insurance

"BEST FORENSICS TRAINING I'VE HAD SO FAR. I THOUGHT THE SOME OTHERS COURSES WERE GREAT BUT 508 IS A LOT MORE CURRENT AND APPLICABLE TO THE REAL WORLD! EXCELLENT COURSE AND INSTRUCTOR OVERALL!" -Marc Bleicher, Bit9

Author Statement

"There are people smarter than you, they have more resources than you, and they are coming for you. Good luck with that." Matt Olney said when describing the Advanced Persistent Threat and advanced adversaries. He was not joking. The results over the past several years clearly indicate that hackers employed by nation states and organized crime are racking up success after success. The Advanced Persistent Threat has compromised hundreds of organizations. Organized crime organizations, utilizing botnets are exploiting ACH fraud daily. Similar groups are penetrating banks and merchants, stealing credit card data daily. Fortune 500 companies are beginning to detail data breaches and hacks in their annual stockholders reports.

The enemy is getting better, bolder, and their success rate is impressive.

We can stop them, but in order to do so we need to field more sophisticated incident responders and digital forensic investigators. We need lethal digital forensic experts who can detect and eradicate advanced threats immediately. A properly trained incident responder could be the only defense your organization has left during a compromise. Forensics 508: ADVANCED COMPUTER FORENSIC ANALYSIS AND INCIDENT RESPONSE is crucial training for you to become a lethal forensicator so that you can step up to these advanced threats. The enemy is good. We are better. This course will help you become one of the best. - Rob Lee